colmbrady commented on issue #7190: URL: https://github.com/apache/apisix/issues/7190#issuecomment-1148005383
Hi @starsz The aim is to use ApiSix as a Policy Enforcement Point (PEP) so that we can enforce authorisation. https://www.keycloak.org/docs/latest/authorization_services/#_enforcer_overview Our use-case for CIP is to confirm that information in the Request URI matches claims in the Keycloak JWT. We can not do this currently because Api Six is unable to pass Request URI to Keycloak as a claim. Here is a similar example to our usecase from the Keycloak Quickstarts: 1. Policy Enforcer is configured to pass through the Request URI as a claim to Keycloak when evaluating a Policy. (We want ApiSix to support this capability) https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-rest-employee/src/main/resources/application.properties#L13 2. Keycloak will make Request URI available in "Context" so we can use it to evaluate a policy. https://github.com/keycloak/keycloak-quickstarts/blob/latest/authz-js-policies/src/main/resources/match-user-from-uri.js Does this use case make sense now? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
